Safety Instrumented Systems / Cybersecurity

Reader Feedback: Consider All the NERC CIP Standards

If You Are Interested in NERC CIP Standards, You May Want to Start by Reading the Proposed Standards

By W. Doring

[This comment is in response to Joe Weiss' "Unfettered" blog post, "NERC CIP and Keeping Lights On—Are They the Same?"]

In fairness to NERC, and what looks to be an overall thought to increase FUD over actual reporting, it seems that you must have stumbled into the "NERC CIPS" [sic] SDT meeting on CIP-005-5. That standard is actually focused solely on boundary control systems.

If you are interested in NERC CIP standards, you may want to start by reading the proposed standards that the SDT has put out for draft on the updated version 5.1, available at NERC's website. You'll first notice that there are a lot more standards than simply CIP-005-5, including some you may want to also look into, such as CIP-007-5, CIP-010-5, etc. Those deal with the systems themselves, including configuration, hardening and other crucial activities.

Posting that the utility industry is not taking security seriously when only looking at a single standard really stinks of poor research and reporting. For full disclosure, I do work for a utility, and we have many staff members associated with CIP activities, both at the compliance and drafting level.

To say utilities do not value security is like saying McDonalds doesn't value its french fries. It is where money is made and people are served; if the power isn't on, there is no money to be made (and fines of up to $1 million per day to be paid). Companies are very serious about security, and have been putting major upward pressure on the few manufacturers of equipment out there to modernize. Until then, we can minimize attack footprints, take things completely off line, air gap and take other standard risk mitigation measures that compose any good company's layered security approaches.

W. Doring